Installing Active Directory on a computer running Windows Server 2003 makes that computer a domain controller. During installation, you are given the option of setting the domain controller type as a domain controller either for a new domain or as an additional domain controller in an existing domain. If you make the domain controller part of a new domain, you can create a new domain in a new forest, a child domain in an existing domain tree, or a new domain tree in an existing forest. In fact, this is how you extend Active Directory structure from the first domain in a new forest to include additional domains and domain trees.
You have several options for installing Active Directory. You can use one of the following:
Configure Your Server Wizard
Manage Your Server
Active Directory Installation Wizard
Active Directory Installation Wizard with backup media
All these installation techniques have one thing in common: at some point they all use the Active Directory Installation Wizard (Dcpromo.exe) to install Active Directory. They all also require that you use an account with administrator privileges. The administrator privileges you need depend on whether you are as follows:
Creating a domain controller in a new forest If you are creating a domain controller in a new forest, you should log on to the local machine using either the local Administrator account or an account that has administrator privileges on the local machine, and then start the installation.
Creating a domain controller in a new domain or a domain tree If you are creating a domain controller in a new domain or a new domain tree in an existing forest, you should log on to the local machine using either the local Administrator account or an account that has administrator privileges on the local machine, and then start the installation.
You will also be required to provide the credentials for an account that is a member of the Enterprise Admins group in the forest of which the domain will be a part.
Creating an additional domain controller in an existing domain If you are creating an additional domain controller in an existing domain, you should consider whether you want to restore a backup of Active Directory from media rather than creating the domain controller from scratch. With either technique, you will need to log on to the local machine using either the local Administrator account or an account that has administrator privileges on the local machine, and then start the installation.
You will also be required to provide the credentials for an account that is a member of the Domain Admins group in the domain of which the domain controller will be a part. It is not necessary for the server to be a member of the domain, as you will be given the opportunity to join the domain controller to the domain if necessary.
Before starting the Active Directory installation, you should examine local accounts and check for encrypted files and folders. As domain controllers do not have local accounts or separate cryptographic keys, making a server a domain controller deletes all local accounts and all certificates and cryptographic keys from the server. Any encrypted data on the server, including data stored using the Encrypting File System (EFS), must be decrypted before installing Active Directory or it will be permanently inaccessible.
Inside Out: Finding encrypted files
To search an entire volume for encrypted files, change directories to the root directory using the CD command, and then examine the entire contents of the directory by using the EFS-Info utility as follows:
efsinfo /s:DriveDesignator /i | find ": Encrypted"where DriveDesignator is the drive designator of the volume to search, such as C:, as shown in the following example:
efsinfo /s:c: /i | find ": Encrypted"
Here, EFSInfo is used to search the root directory of C: and all its subdirectories and display the encryption status of all files and folders. As you care about only the encrypted file and folders, you pipe the output to the Find utility and search it for the string ": Encrypted", which is a text string that appears only in the output for encrypted files and folders.
You can start an Active Directory installation using the Configure Your Server Wizard. Select Configure Your Server Wizard from the Administrative Tools menu. When the wizard starts, as shown in Figure 36-1, click Next twice. The wizard will then gather information about the server configuration. On the Server Role page, select Domain Controller (Active Directory), and then click Next twice. Configure Your Server then starts the Active Directory Installation Wizard, which is discussed next.
You can start the Active Directory Installation Wizard via the Configure Your Server Wizard or by typing dcpromo at the command prompt. Once you start the wizard, the Welcome page appears, as shown in Figure 36-2. The way you continue depends on whether you are adding an additional domain controller for an existing domain or creating a domain controller in a new domain.
To create an additional domain controller for an existing domain, follow these steps:
Start the Active Directory Installation Wizard as discussed previously. Click Next twice to skip the Operating System Compatibility page; I've discussed the compatibility needs in the section entitled "Connecting Clients to Active Directory" earlier in this chapter. Continue with the installation.
On the Domain Controller Type page, shown in Figure 36-3, select Additional Domain Controller For An Existing Domain. Click Next.
Caution
Before continuing, make sure you check for encrypted files and folders as discussed in the section entitled "Active Directory Installation Options and Issues" earlier in this chapter. If you don't do this and there are encrypted files and folders present, you will no longer be able to decrypt them.
On the Network Credentials page, type the user name, password, and user domain of an account with Domain Admins privileges. Click Next.
On the Database And Log Folders page, shown in Figure 36-4, select a location to store the Active Directory database folder and log folder. The default location for both is %SystemRoot%NTDS. As discussed in the section entitled "Hardware and Configuration Considerations for Domain Controllers" earlier in this chapter, you'll get better performance if these folders are on two separate volumes, each on a separate disk. Click Next when you are ready to continue.
On the Shared System Volume page, shown in Figure 36-5, select a location to store the Sysvol folder. The default location is %SystemRoot%Sysvol. In most cases, you'll want to accept the default. The File Replication Service (FRS), which is responsible for replicating the Sysvol folder to other domain controllers as well as to other distributed file system (DFS) shares on the server, stores its database in the %SystemRoot%NTFRS folder anyway, so by keeping the folders on the same volume, you reduce the need to move files between drives.
When you click Next, the wizard examines the network environment and attempts to register the domain and the domain controller in DNS. If it has any problems with registration, the wizard displays a diagnostics page like the one shown in Figure 36-6. Here, you have the opportunity to correct the problem with DNS and check again, to install and configure Microsoft DNS on the server, or to configure DNS later. In most cases, you'll want to use one of the first two options—either by making necessary changes to the server's DNS configuration or by allowing the wizard to install DNS. If you choose the third option, you'll need to create several advanced modifications to DNS and create a number of records manually—don't do this when the wizard can do it for you.
Note
If you choose to let the wizard install DNS, the DNS Server service will be installed and the domain controller will also act as a DNS server. A primary DNS zone will be created as an Active Directory–integrated zone with the same name as the new domain you are setting up. The wizard will also update the server's TCP/IP configuration so that its primary DNS server is set to itself—unless you forgot to change the server's dynamic IP address to a static one, in which case you'll be prompted to configure the TCP/IP settings yourself.
Click Next to display the Permissions page, and then select the default permissions for users and groups, as shown in Figure 36-7.
The available options on this page are as follows:
Permissions Compatible With Pre–Windows 2000 Server Operating Systems—Select this option to reduce the default security and allow anonymous user logons. Select this option only if the domain will have Windows NT servers running Windows NT applications or services that require anonymous user logons, such as Remote Access Service (RAS) or SQL Server running on Windows NT 4. By selecting this option, you are telling the wizard to add the special groups Everyone and Anonymous Logon to the Pre-Windows 2000-Compatible Access domain local group on the server and to fully allow anonymous logon and anonymous access to Active Directory data.
Permissions Compatible Only With Windows 2000 Or Windows Server 2003 Operating Systems—Select this option to enforce the default security and prevent anonymous user logons. If the domain will have Windows 2000 or later computers running Windows 2000 or later services and applications, choose this option. When this option is selected, only authorized users can log on to the domain and access Active Directory data.
Tip
In a domain where permissions have been configured to be compatible with Windows NT 4 services and applications, you can later change the domain environment so that anonymous logon and anonymous access are no longer allowed. Once you've upgraded all Windows NT 4 servers, services, and applications in the domain, you should do this to enhance security. Simply remove the members from the Pre-Windows 2000-Compatible Access group in Active Directory Users And Computers.
Click Next, and then type and confirm the password that should be used when you want to start the computer in Directory Services Restore Mode, as shown in Figure 36-8. Be sure to track this password carefully. This special password is used only in Restore mode and is different from the Administrator account password.
Click Next. Review the installation options. When you click Next again, the wizard will use the options you've selected to install and configure Active Directory. This process can take several minutes. Your options are as follows:
If you specified that the DNS Server service should be installed, the server will also be configured as a DNS Server at this time. In this case, the wizard will also check to make sure that the server isn't using a dynamic IP address. If it is, you'll see the Choose Connection dialog box. You'll need to choose a network connection, and then click Properties. This displays the Internet Protocol (TCP/IP) Properties dialog box, which you can use to set a static IP address and the necessary TCP/IP settings for the computer. Click OK twice to close these dialog boxes and continue with the DNS server installation.
If you are installing an additional domain controller in an existing domain, the domain controller will need to obtain updates of all the directory partitions from other domain controllers and will do this by initiating a full synchronization. The only way to avoid this is to make a media backup of Active Directory on an existing domain controller, start the Active Directory Installation Wizard in Advanced mode, and then specify the backup media to use during installation of Active Directory.
When the wizard finishes configuring Active Directory, click Finish. You are then prompted to restart the domain controller. Click Restart Now to reboot.
After installing Active Directory, you should verify the installation by doing the following (in no particular order):
Examine the log of the installation, which is stored in the Dcpromo.log file in the %SystemRoot%Debug folder. As shown in the following screen, the log is very detailed and takes you through every step of the installation process, including the creation of directory partitions and the securing of the Registry for Active Directory.
Check for DNS updates in the DNS console shown in the following screen. If you added a domain controller to an existing domain, DNS is updated to add SRV records for the server. If you created a new domain, DNS is updated to include a Forward Lookup Zone for the domain.
Check for updates in Active Directory Users And Computers. For example, check to make sure the new domain controller is listed in the Domain Controllers OU, as shown in the following screen:
If you created a new domain, the following containers are created and populated as appropriate:
Builtin contains the built-in accounts for administration, including Administrators and Account Operators.
Computers contains computer accounts for the domain.
Domain Controllers contains the domain controller accounts and should have an account for the domain controller you installed.
ForeignSecurityPrinicipals is a container for security principals from other domain trees.
Users is the default container for user accounts in the domain.
To create a domain controller in a new domain, start the Active Directory Installation Wizard as discussed previously. Click Next twice to skip the Operating System Compatibility page; I've discussed the compatibility needs in the section entitled "Connecting Clients to Active Directory" earlier in this chapter. Continue with the installation.
On the Domain Controller Type page, select Domain Controller For A New Domain. Click Next. You will next need to choose whether to do one of the following:
Create a root domain in a new forest Choose this option to establish the first domain controller in the organization or to install a new forest that is completely separate from any existing forests. By choosing this option, you are establishing the forest root domain. This means that the domain controller will have operations master roles across both the forest and the domain.
When you click Next, you will go directly to the New Domain Name page, skipping the Network Credentials page. You don't need specific credentials because you are establishing a new forest with its own set of security groups.
Click Next again to display the New Domain Name page shown in the following screen. Type the full DNS name for the new domain. Domain names are not case-sensitive and use the letters A to Z, the numerals 0 to 9, and the hyphen (-) character. Each component of the domain name must be separated by a dot (.) and cannot be longer than 63 characters.
Create a child domain in an existing domain tree Choose this option to establish the first domain controller in a domain that is a child domain of an existing domain. By choosing this option, you are specifying that the necessary parent domain already exists. For example, you would choose this option if the parent domain cpandl.com had already been created and you wanted to create the tech.cpandl.com domain as a child of this domain.
When you click Next, you will see the Network Credentials page. On this page, type the user name, password, and user domain of an account with Enterprise Admins privileges.
Click Next again to display the Child Domain Installation page shown in the following screen. In the Parent Domain field, type the full DNS name for the parent domain, such as cpandl.com, or click Browse to search for an existing domain to use. In the Child Domain field, type the name component of the child domain, such as tech.
Create a domain tree in an existing forest Choose this option to establish a new domain tree that is separate from any existing trees in the existing Active Directory forest. By choosing this option, you are specifying that there isn't an existing parent domain with which the new domain should be associated. For example, you would choose this option if the cohowinery.com domain already existed and you wanted to establish the cohovineyard.com domain in a new tree in the existing forest.
When you click Next, you will see the Network Credentials page. On this page, type the user name, password, and user domain of an account with Enterprise Admins privileges.
Click Next again to display the New Domain Tree page shown in the following screen. Type the full DNS name for the new domain. The domain name you use should not be a subdomain of an existing parent domain in any tree of the forest.
When you click Next, the Active Directory Installation Wizard will use the domain name you specified to set a default NetBIOS domain name. You can accept the default or type a new NetBIOS name of up to 15 characters. If there are any problems creating the default name, the wizard will display a warning prompt similar to the one shown in the following screen.
The wizard displays this prompt when there is a conflict with the default name originally selected and an alternative name has to be used. Here, I was configuring a domain tree named cpandl.local for internal use within City Power & Light, and there was an existing tree for cpandl.com. The conflict caused the wizard to choose the NetBIOS name CPANDL0 since a domain with NETBIOS name CPANDL already exists on the network.
The rest of the installation will proceed as previously discussed. Continue with steps 4-10 and the post-installation checks discussed in the previous section.
Whenever you install an additional domain controller in an existing domain, you should consider whether you want to restore a backup of Active Directory from media rather than creating the domain controller from scratch. Doing so allows the Active Directory Installation Wizard to get the initial data for the Configuration, Schema, and Domain directory partitions from backup media rather than performing a full synchronization over the network.
Not only does this reduce the amount of network traffic, which is especially important when installing domain controllers in remote sites that are connected by low bandwidth WAN links, it can also greatly speed up the process of installing an additional domain controller and getting the directory partition data synchronized. This means that rather than having to get the full data in Configuration, Schema, and Domain directory partitions, the domain controller only needs to get the changes made since the backup media was made. This can mean that only several megabytes of replication traffic are generated rather than several gigabytes, and on a busy or low-bandwidth network this can be very important.
Note
Restoring Active Directory from backup media is not designed to be used to restore failed domain controllers. To restore failed domain controllers, you should use System State restore as this ensures that all the data that needs to be restored is recovered as necessary, including Registry settings, Sysvol data, and Active Directory data.
There are a few guidelines that you should follow when installing Active Directory from backup media:
Always try to use the most recent backup of Active Directory as possible. This will reduce the number of updates that must be replicated to the domain controller, which in turn will minimize the post-installation replication traffic.
Always use a backup of a domain controller in the same domain in which the new domain controller is being created, and always use a backup from another Windows Server 2003 domain controller and not from a Windows 2000 domain controller.
Always restore the backup to a local drive on the server for which you are installing Active Directory. You cannot use backup media from Universal Naming Convention (UNC) paths or mapped drives.
Never use backup media that is older than the tombstone lifetime of the domain. The default value is 60 days. If you try to use backup media older than 60 days, the Active Directory installation will fail. For more information on tombstone lifetime and why it is important, see the section entitled "Extensible Storage Engine".
With these guidelines in mind, you can create an additional domain controller from backup media by completing the following steps:
Create a System State backup on a domain controller in the domain using the Backup utility. You can start Backup by typing ntbackup at the command line or in the Run dialog box, or by clicking Start, Programs or All Programs, Accessories, System Tools, Backup. By default, Backup starts in wizard mode. To change this behavior, clear Always Start In Wizard Mode, and then click Advanced Mode. This takes you to the main Backup interface.
Select the Backup tab, and then select the System State check box as shown in the following screen. You can then configure the rest of the backup as you would any other backup. This includes selecting the other data you want to back up, specifying the backup media to use, and clicking Start Backup to begin the backup process.
Restore the System State backup to the server you want to be a domain controller. For example, write the backup to a DVD, and then access the DVD using the NTBACKUP command on the server that you want to be a domain controller. Start NTBACKUP, and then click Restore And Manage Media as shown in the following screen.
Catalog the backup file so that its details are available on the current computer. From the Tools menu, select Catalog A Backup File. In the Open Backup File dialog box, type the full file path to the backup file on the DVD or click Browse to file the backup file, and then click OK.
Expand the backup media entry, and then select System State, which is what you want to restore.
Under Restore Files To, select Alternate Location, and then, under Alternate Location, select the folder in which to restore the backup. Click Start Restore. When notified that you aren't restoring the System State, click OK. This is as it should be. Click OK again to begin the restore. Click Close when the restore finishes.
On the server you want to make a domain controller, install Active Directory in Advanced mode. You start the Active Directory Installation Wizard in Advanced mode by typing dcpromo /adv at a command prompt.
On the Domain Controller Type page, select Additional Domain Controller For An Existing Domain, and then click Next.
On the Copying Domain Information page, select From These Restored Backup Files, and then type the location of the restore backup files or click Browse to find them.
You can now complete the rest of the installation as discussed in the section entitled "Creating Additional Domain Controllers for an Existing Domain" earlier in this chapter. Continue with steps 3 to 10 and perform the post-installation checks as well.
